Years ago I had a forum topic about popular gold seller with negative reviews that was showing up well in search results. I got this anonymous email offering $500 to remove it and I refused on principal.

A week later the site is getting pummeled with on average 2000 requests per second from South Asian IP's and that persisted for a week. I was able to implement Cloudflare for the final 2 or 3 days which mitigated it. What was interesting was to see the scale rise and fall over 24 hour period. It would pick up steam mid afternoon my time which was early morning their time and go up throughout the evening. Presumably people were waking up and turning on compromised devices.

Same thing happened a week later. Based on the logs it looked like they must of ran a bot across my hosts IP range until they fingerprinted my IP with specific request for unique file on my site. Once they had IP they just went around Cloudflare with custom DNS.

It was learning experience. As of today I feel fairly secure. Firewall blocks all traffic to 80 and 443 unless it's Cloudflare traffic, email is sent/received through different IP and anything I'm aware of that can identify the origin IP has been removed. They would be ale to attack email server but no way to get around that, it's not critical for me so I can just null route that traffic. I also have outstanding and very responsive host that has their own DDOS mitigation.

Topic about gold seller is still there. :)

It can help to use Cloudflare when it gets out of hand. I would not feel honored so much as abused.

"Firewall blocks all traffic to 80 and 443 unless it's Cloudflare traffic" I'll keep that in mind should I need it.

I'm seeing up'd DDOS activity at about the time folks in the principle zombie computer countries time zone would quit work as well well start access to their computer.

No ransom emails just harassment, technically the DDOS started a month and a few days ago but at a lower level that I could handle with htaccess ip bans of most of a particular country.. Then the harassment up'd dramatically - my best estimate shows it to be about 1 million unique's daily from about 250K.

I got it managed using Cloudflair but it is a distraction from stuff I should be doing.

I'll play - experience comes in all forms good and bad.

Are these IP's from Brazil? The reason I ask is a bot net from there has been very problematic over the past month for many forums and if they are from Brazil it's probably not a purposeful DDOS.

I'll keep that in mind should I need it.

If you want to stop DDOS from someone determined it's a must. Anything that can expose the origin IP needs to be severed. e.g. web application software for example that can retrieve remote file like avatars if you have forum. Email is the other thing. If you have WHM it's quite easy because you have main IP, configure server/MX records to send/receive email from there. Put the site on other IP.

"Are these IP's from Brazil?" No, however I do get many Bots from Brazil.

What would be the point of a non-purposeful DDOS? Seriously?

Are the infected computers leaving a footprint, ie: any user-agent?

Or are they commandline/ping streams?

What would be the point of a non-purposeful DDOS? Seriously?

What I have seen over the past two years is escalating amount of bots scraping forums. Some of them are so aggressive it amounts to DDOS attack. and they will linger for days or even weeks.

"any user-agent?"
Normal browser signatures (windows and apple) - no referrer..

Start and stop on the hour (last two days). Start (my time) 11:00 pm stop 6:00 am.

Had a monster surge Monday early morning, enough got thru Cloudflare to get my server load up to 9.0 which triggered the standard WHM email but not enough to hurt customer traffic.

Same php files variety being hit, I'm still winning this thing (so far).

"bots scraping" - bots been scraping me for 25+ years - you know, email, search, looking for security holes, all the standard stuff. Been running a honeypot htaccess auto blocking scripting that I got off WebmasterWorld 23? years ago. I get about 10 a day..

Normal browser signatures (windows and apple)

Since testing and logging fingerprints of visitors to one of our home pages, I am finding that a lot of what looks like a typical browser user-agent are not web browsers at all.

are not web browsers at all

Probably my case as well, however given the volume and the similarities to real browsers the effort to sort and block is not worth the effort.

A benefit I'm seeing with Cloudflair "managed challenge" is a that my dedicated server load is reduced which in effect speeds things up for legitimate visitors. Google and other legit bots can get through just fine.

Also with the bot noise reduced I'm seeing a slightly different spread of just what my visitors are. At this moment I'm of the view that I should of had professional bot management in place years ago. My main site is huge and serves a lot of bandwidth. Over the years I've had to manage surges of scrapers and other nonsense, clean out my htaccess ban list and block all sorts of application holes bots would go down.

For big sites and/or sites with server side processed applications managing bots is a must.